ON July 16, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) included two critical vulnerabilities from Fortinet FortiSandbox and one from Microsoft SharePoint in its Known Exploited Vulnerabilities (KEV) catalog. The vulnerabilities are as follows: 1) CVE-2026-25089 - Fortinet FortiSandbox OS Command Injection (CVSS 9.8); 2) CVE-2026-39808 - another OS Command Injection in FortiSandbox (CVSS 9.8); 3) CVE-2026-58644 - Microsoft SharePoint Deserialization of Untrusted Data (CVSS 9.8).
Microsoft has acknowledged the exploitation of the SharePoint vulnerability, which can be triggered without authentication. CISA has mandated that federal agencies address these vulnerabilities by July 19, 2026, to mitigate potential attacks.